- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Charity FAQs – How does GDPR relate to my organisation?
January 23, 2023
CJEU Decision: Data subjects have the right to know who has received their personal data
February 20, 2023
Electronic marketing, or e-marketing, is a type of advertising that includes marketing activities conducted by an organisation online using the Internet and online based digital technologies such as mobile phones, computers, and other digital media platforms to promote products and services. If your organisation relies on electronic marketing, you need to be aware of the rules around its use. The Privacy and Electronic Communications Regulation (PECR) – rather than the GDPR, is the law that regulates the rules around electronic communications. PECR covers marketing by electronic means (electronic marketing), the use of cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., security of public electronic communication servers, and privacy of customers using communication network or services.
This blog will not focus on the ‘ins and outs’ of PECR as a whole (you can read our guide for that), but will break down the guidance on electronic marketing.
Basics of electronic marketing
The basic rule enshrined in PECR on marketing is that you must not send electronic mail marketing to individuals unless:
- They have specifically consented to receive such communications from your organisation; or
- You are relying on the soft opt-in exception (explained below)
Even where one of the above scenarios is met, there are a few more considerations to keep in mind:
- You have to give them a simple way to opt outA positive action to choose not to be part of an activity or to stop being involved in it. when you send each message and when you first collect their details; and
- You must not hide your organisation’s identity
- You must provide a valid contact address so they can opt out
This rule is the same if you are sending marketing via emails, texts, videos, voicemails, direct messages via social media or similar messages that are stored electronically. ‘Electronic mail’ has an intentionally broad meaning that includes various forms for messaging. The agreed definition is:
“Any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”.
Unlike sales and marketing calls, there is no version of the Telephone Preference Service (TPS) for email and electronic marketing. The TPS is the UK’s ‘do not call’ list for both landlines and mobiles and allows both business and individuals to opt out of all marketing and sales calls in one foul swoop. Bearing this in mind, if planning to market to people over the phone, it is important to cross-reference your contact list with the TPS so as not to unwittingly call someone who has opted out, leaving your organisation in breach of their obligations under PECR and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU..
When is it appropriate to use electronic marketing on individuals?
Aside from when you can rely on the soft opt-in exception (explained below), you should only electronically market to individuals if they have given their specific consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. to receive electronic marketing from your organisation. They can do this by ticking an opt-in box and/or signing up to your mailing lists.
It is important to familiarise yourself with the rules around consent and what it should entail. PECR defines consent in the same way that the UK GDPR does in Article 7. Consent must be:
- Freely given;
- Clear;
- Specific;
- Consist of an affirmative action; and
- Be able to be withdrawn at any time
If you fail to gain the proper consent, and meet the above criteria, then you could end up in hot water with the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).), as well as reputational damage resulting from unhappy customers or prospects. You should also keep in mind that consent does not last forever, it is important to regularly review your electronic marketing databases and remove any contacts that are not engaged.
Soft opt-in
‘Soft opt-in’ is the exception to the rule that consent must be gained prior to sending electronic marketing messages to individuals. This exception allows you to send direct marketing to already existing customers or active prospect customers (e.g. those that have downloaded a brochure) that may not have necessarily given their explicit consentA clear and unambiguous expressed statement of consent. This can be provided in writing, by filling out online forms using electronic signatures, or even via oral statements (so long as the conditions for valid consent have been met).. Without spoiling our previous blog, soft opt-in allows you to market similar products and services, even if they have not consented. However, you are required to give them a chance to opt out. The crucial point to note here is that this rule does not apply to non-commercial promotions like political campaigns or charity fundraising.
Business-to-business electronic marketing
Depending on what type of business you are planning to market to, the rules you need to follow may be slightly different. Sole traders and some partnerships are treated as individuals, so the requirement to gain consent will apply.
However, you can send electronic marketing to almost any corporate body, including companies, Scottish partnerships, limited liability partnerships, or government bodies by relying on legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.. However, if someone can be identified by the professional email address you are marketing to (e.g. name@company.com), you need to be mindful that the UK GDPR will apply.
In addition, you should still, just as good practice, keep a “do not email or text” list of any business that objects or wishes to opt out. You should also screen any new marketing contacts against this list.
(For more information on how corporate structures effect GDPR compliance, click here to read our blog)
Viral and online marketing and behavioural advertising
The same rules apply if you send a viral message or if you ‘instigated’ someone else to send it on your behalf. ‘Instigating’ a message is when you ask your customers to forward marketing messages onto their contacts. You will only be responsible under PECR if you have encouraged your customers to forward on the marketing message.
It is also wise to avoid any kind of marketing where you ask your customers to provide their contacts’ contact details (such as for a referral scheme), as one person cannot provide consent on another’s behalf to receive marketing messages.
Any marketing delivered via social media will need to comply with these rules too. PECR do not set rules on other types of online marketing, banner or display ads for example, but there are specific rules on cookies. Cookies are often used to profile users and target behavioural advertising. You can find the ICO’s rules on cookies here.
Other considerations
As well as the above, you and your organisation should consider the following:
- The wider implications of both the UK GDPR and PECR – you should consider other legislation and not just the rules and guidance around electronic marketing (after all, where it involves personal dataInformation which relates to an identified or identifiable natural person., the UK GDPR and Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. will be engaged)
- Know what you are sending and to whom – campaign groups and fundraising bodies/charities have different rules to follow, and different rules apply regarding B2C and B2B marketing, so identifying if you are sending to individuals in their personal or professional capacity is vital
- Ensure you have gathered the necessary consent for B2C marketing – keep in mind the requirements around consent. Even if you are relying on soft opt-in, you need to ensure that you are doing it in a way that is compliant with PECR
- When marketing B2C, soft opt-in won’t be an option – this is especially true if you have used bought-in marketing lists or have bought contact details from third parties.
- Cookies and tracking pixels – you will need to understand the ICO’s further guidance on these and how PECR regulates tracking pixels and cookies
If electronic marketing is something your organisation utilises, you need to be up to date and ensure you comply with the ICO’s guidance. If you, or your organisation, need help with electronic marketing and remaining compliant with both the UK GDPR and PECR, contact our team.
